Who shall be the Subject Distinguished Name (DN) in the situation described in EBA Opinion on eIDAS (EBA-Op-2018-7) item 21? Does information on agents or outsource providers has to show up in the certificates?
The statement in EBA -Op-2018-7 Item 21 (Opinion of the EBA on the use of eIDAS certificates)
“CAs should also ensure that ASPSPs accept eIDAS certificates presented by agents or outsource providers acting on behalf of AISPs, PISPs and CBPIIs, provided that the ASPSP is in a position to unequivocally identify the principal PSP in the presented certificate.“ seems to indicate that certificates in this situation have a different content.
Qualified Trust Service Providers (QTSPs) have to know which information is expected in the certificates.
Article 34 of the Commission Delegated Regulation (EU) 2018/389 specifies that for the purpose of identification, as referred to in Article 30(1)(a), payment service providers (PSP) shall rely on qualified certificates for electronic seals as referred to in Article 3(30) of Regulation (EU) No 910/2014 or for website authentication as referred to in Article 3(39) of that Regulation.
Where a PSP providing account information, payment initiation or card-based payment instrument issuing services uses agents or has outsourced to technical service providers (TSPs) part of its activities, including in relation to the access to the online accounts held within an account servicing payment service provider (ASPSP), in line with paragraph 20 of the EBA Opinion on the use of eIDAS certificates (EBA-Op-2018-7), it remains responsible and liable for the acts of these agents and TSPs.
In addition and as stated in paragraph 21 of the EBA Opinion, ASPSPs should be in a position to unequivocally identify the principal PSP in the presented certificate.
In relation to the above two paragraphs, eIDAS certificates should be issued to authorised/registered PSPs and contain the name of said PSP in the so called ‘Subject Distinguished Name’.
Further, in line with paragraph 20 of the EBA Opinion, in the cases where an eIDAS certificate is presented to ASPSPs by an agent or a TSP acting on behalf of the PSP accessing the online account, if technically feasible, the name of the agent/TSP may be included in the eIDAS certificate in addition to the name of the principal PSP. ASPSPs are required to identify the principal PSP only.
Finally, it should be noted that there is no legal requirement to include the name of the agent in the eIDAS certificate.